The query I had :
index=k8_hc* container_name="*hc*" [search index=k8_hc* container_name="*hc*" RequestID="*" | stats count by InstanceId | table InstanceId ] | stats values(RequestID) as RequestId, count by InstanceId
and your query :
index=k8_hc* container_name="hc" |"your rex for RequestId and InstanceId"
|eventstats values(RequestId) as temp by InstanceId|eval RequestId=coalesce(RequestId,temp)
|stats count by RequestId,InstanceId
There is not much difference in the results of these 2 queries above .
RequestId InstanceId count
abc@xyz.com-0105140313479 5212899 9
abc@xyz.com-0105140313479 5212901 8
abc@xyz.com-0105140313479 5212908 10
abc@xyz.com-0105140313479 5212909 1
My requirement ( as Ive mentioned earlier)
RequestId InstanceId Count TotalCount
abc@xyz.com-0105140313479 5212899 9 28
5212901 8
5212908 10
5212909 1
The numbers under Count and Total Count should be clickable to return the results for those categories.
If possible I would also like to add a "Start Time" , "End Time" and "Duration" column as well to understand when "abc@xyz.com-0105140313479 " started and ended and what was the duration.
Thanks for the helping me out on this by the way 🙂 Appreciate it .
... View more